Posted on 08-27-2018 11:01 AM
Is it just me, or are AD accounts completely mishandled and broken in Mojave? I can't find anyone talking about this.
Posted on 08-27-2018 11:04 AM
@alexjdale Mojave is in beta so that's why people won't be talking about it. If you got access to the Apple Dev Discussion forums, you can ask there and post a link to the discussion here and others who have access to those forums can post.
I'm also hoping you're providing bug reports/feedback to Apple. More on that here: https://babodee.wordpress.com/2018/08/22/the-importance-of-filing-feedback-during-major-os-releases-...
Posted on 08-27-2018 11:15 AM
I'm aware of that. The Apple discussions forums are lacking. Lots of people are talking about Mojave here so I was hoping for someone to give me some feedback on this. I have filed my reports on it but can't find anyone talking about it anywhere.
Edit: I did find the problem, it's that User Templates are borked.
Posted on 08-27-2018 01:20 PM
Posted on 09-25-2018 04:40 AM
Posted on 09-25-2018 05:59 AM
Currently also having issues with my own user profile, upgraded successfully but when logging in it get a apple screen, and then only black cursor and wont login with my Mobile Managed AD account, with local account seems fine.
Posted on 09-25-2018 01:12 PM
Yeah I just experienced the same thing. I don't think AD binds work.
Posted on 09-25-2018 01:16 PM
So after a whole day of troubleshootint, reinstalling and recovering macOS, changing user templates, FV, SecureTokens, pref plist files...
Pram reset did the job..
Posted on 09-26-2018 05:34 AM
Been testing enrolling a "new" mojave device into Jamf Pro as opposed to upgrading a current system. Just erased a mac mini and put mojave on it.
One thing that I've noticed. AD accounts when logged in for the first time are showing as internet accounts.
In our environment, with High Sierra, AD accounts automatically downloaded as Mobile Accounts. Have not done anything on our end to change that - other than having macOS Mojave.
So something must be going on in the OS in how it's dealing with AD accounts i would assume. Still have more testing to do.
Posted on 09-26-2018 05:52 AM
@Alyoung It doesn't help you but I'm not able to reproduce this in 10.7.1 (on-prem) and the latest Mojave revision. We use a script to bind to AD at enrollment time.
Our accounts show as "Managed, Mobile" as expected and I don't have any issues logging in. Tried this on both (Self Service based) upgrades from Sierra and High Sierra, as well as a clean install of Mojave.
Posted on 09-27-2018 07:18 AM
Here's what I've seen:
This is basically what happened when 10.13 came out until we discovered the unchecking of the "use full UNC path" option fixed it.
Running 10.3.0 on-prem (waiting to go to the cloud and can't upgrade before then), using the built in bind configuration.
Edit: I have a script that uses "/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount" to create an account and that does work. It doesn't get the securetoken however.
Posted on 09-27-2018 07:40 AM
I filed a Bug Report for another AD issue at my org. If you have a FileVault config profile to defer FV until logout/restart an AD mobile user (who is also an admin) will not get the authentication prompt. You have to log out/restart from a local admin user for the authentication pop-up to appear. Didn't see this behavior in any of the Mojave betas, just the release 18A391.
Posted on 10-02-2018 12:16 PM
Yes there is a problem with AD mobile accounts. Upgraded my MacBook Pro from 10.13.6 to 10.14 - bind to AD domain - enrolled in jamf 9.98 - logged in with as a Domain user- Account created was admin instead of a Standard account. Able to log in with this domain account.Tried to delete the domain account from the Users pane in System Preferences - a dialog box prompts with the user (to be deleted) name entered and asking for the password. The password however is not accepted and thus the account is not deleted.
Posted on 10-03-2018 08:36 AM
Honestly, after this, we started to strongly consider ditching AD binding and move toward something like NoMAD. JAMF owns it now, and there's an open-source version. You get all the same benefits without having to mess with all the finicky binding.
Posted on 10-17-2018 08:41 AM
Seeing the same thing. Has anyone found any solutions for this or any suggestions. Thanks in advance.
Posted on 01-25-2019 09:54 AM
@cmudgeUWF I am curious how do you handle your local admin groups? I used a AD group and script with the Directory Utility to give my techs admin rights on the machines. With NoMAD this functionality is gone once I Unbind.
Posted on 01-25-2019 10:32 AM
Posted on 02-20-2019 12:31 PM
@wmateo That's a good point. We've not started the experimentation quite yet, but it could also be accomplished with a local account that only your techs have access to.
Posted on 02-20-2019 06:07 PM
It seems with Mojave you have to use the long form for AD admin groups. so dsconfigad -groups "yourdomanyouradmingroup", inlcude quotes. I can confirm it works with Hi-C and above, Nomad and Nomad login.
Posted on 03-29-2019 03:22 AM
@PhillyPhoto did you ever get solution for "/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount" im in the same boat.
Posted on 06-21-2019 08:25 AM
Does anyone know if Mojave and Active Directory do not play nice with spaces between the users login first and last name?